DescriptionApache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs1031733

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcommons-fileupload-java (PTS)buster1.3.3-1vulnerable
bookworm, sid1.4-2fixed
tomcat10 (PTS)bookworm, sid10.1.6-1fixed
tomcat9 (PTS)buster9.0.31-1~deb10u6vulnerable
buster (security)9.0.31-1~deb10u8vulnerable
bullseye (security), bullseye9.0.43-2~deb11u6vulnerable
bookworm, sid9.0.70-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[bullseye] - libcommons-fileupload-java <no-dsa> (Minor issue)
[buster] - libcommons-fileupload-java <no-dsa> (Minor issue) (commons-fileupload-1.5)
Caution: patch is no-op by default, reverse-dependencies would need to provide updated settings (10.1.5) (9.0.71)
When fixing the issue make sure to apply complete fixes to not open CVE-2023-28709
Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, using that as the fixed version

Search for package or bug name: Reporting problems